EU GDPR Legislation

Article by Rene Spronk (who runs a number of HL7/ITK/IHE courses in the UK).

and related thread on FHIR chat site:

I’m not a fan of the security approaches (or 1990’s interoperability methods) being suggested. Favouring instead modern web based tech (json, OAuth2, REST, etc).

This is a great article. I’m not sure how most NHS organisations expect to become compliant since there is clearly a technology hurdle they need to get over to provide ‘computable machine readable data’. Our GP colleagues on the other hand, can do this. I wonder when they would become compliant. Overall, I think this is a good thing and will accelerate interop.

Technology side has roughly two parts:

  • interoperable format
  • patient consent

As I read it (maybe looking too much into the social media drivers behind GDPR), its the patient who has to be able to move the data (not the organisation) between CareProviders and systems.

I’m hoping the interoperable format is a quick win, we are in some ways ‘green field’ organisation and can move directly to XML/JSON based solutions (That includes mix of structured data and pdf - we have basis for this in CareConnectAPI which covers majority of CareSectors).

Consent, maybe not but I’d suggest looking at how PHR and personnel health devices work with OAuth2 consents as a way forward. [Obvious candidate from FHIR perspective being SMART-on-FHIR]. As a Patient I’m not as precious over my health data (as a 40+ mamil my health data is shared daily) but I would like to be able to consent (electronically, NOT ON PAPER and not let a System or Organisation do it for me unless clinically necessary) and be able to view who has accessed my record.

p.s. if someone wishes to use paper to consent they can but suggest we do the easy part first?